An Android vulnerability lets you modify apps without breaking signatures

A vulnerability in Android that exists from Android 1.6 Donut, allows you modify any signed application into a Trojan program and steal data or take control of the OS, according to mobile security firm Bluebox.

The San Francisco-based company has found out the security glitch present in Android affects 99% of the devices and the company claims to have informed the Google developers about the flaw in the OS.

The Android applications make use of the cryptographic signatures and when an app is installed, Android records the digital signature of the application. The subsequent updates of the app need to match its signature and the researchers at Blubox have found a way to modify apps without breaking these cryptographic signatures.

However, it is not possible to distribute the modified app and exploit this flaw using the Google Play Store as the application entry process is updated by Google, so as to block apps with that contain the above exploit.

Apparently, Google has confirmed that there are no existing apps from the Play Store that have this problem and for now, Samsung Galaxy S4 is the only device that has a fix for the glitch. Google developers and the manufacturers are aware of the vulnerability and the patch for the security flaw is expected in upcoming software updates.